Authentication of an original equipment manufacturer entity
Abstract
There is provided mechanisms for authenticating an OEM entity as manufacturer of a communication device comprising an identification module. A method is performed by a network entity. The method comprises providing, towards tire identification module, a challenge of a challenge-response authentication procedure. The method comprises obtaining, from the identification module, a first response of the challenge-response authentication procedure. The method comprises providing, towards the OEM entity and upon having obtained the response, the challenge. The method comprises obtaining, from the OEM entity, a second response of the challenge-response authentication procedure. The method comprises authenticating the OEM entity as the manufacturer of the communication device only when the second response matches the first response.
Claims
exact text as granted — not AI-modifiedThe invention claimed is:
1. A method for authenticating an Original Equipment Manufacturer (OEM), entity as manufacturer of a communication device comprising an identification module, the method being performed by a network entity, the method comprising:
providing, towards the identification module, a challenge of a challenge-response authentication procedure;
obtaining, from the identification module, a first response of the challenge-response authentication procedure;
providing, towards the OEM entity and upon having obtained the response, the challenge, the challenge accompanied by OEM specific data and the first response based on the OEM specific data, the OEM specific data relating to any of: identity of the MNO entity, Mobile Country Code and Mobile Network Code of the OEM, organization number of the OEM, Fully Qualified Domain Name of the OEM, name of production site of the communication device, address or other contact information of the OEM, device model number or type of the communication device;
obtaining, from the OEM entity, a second response of the challenge-response authentication procedure; and
authenticating the OEM entity as the manufacturer of the communication device only when the second response matches the first response.
2. The method according to claim 1 , further comprising:
obtaining, a verification of network provisioning of the identification module, wherein the challenge only is provided towards the identification module upon having obtained the verification.
3. The method according to claim 2 , wherein the verification is obtained by querying a ledger that a key K_OEM has been provisioned for the communication device.
4. The method according to claim 1 , wherein the network entity is a device owner entity or a mobile network operator entity.
5. The method according to claim 1 , further comprising, when the network entity is a mobile network operator entity:
providing, towards the identification module, a network access key upon having authenticated the OEM entity as the manufacturer of the communication device.
6. The method according to claim 5 , wherein the network access key is an Authentication Key Agreement (AKA), symmetric credential, or an Extensible Authentication Protocol Transport Layer Security (EAP-TLS), public-key credential.
7. A method for authenticating an Original Equipment Manufacturer (OEM), entity as manufacturer of a communication device comprising an identification module, the method being performed by the identification module, the method comprising:
obtaining, from a network entity, a challenge of a challenge-response authentication procedure; and
providing, towards the network entity, a first response of the challenge-response authentication procedure, the challenge accompanied by OEM specific data and the first response derived based on the OEM specific data, the OEM specific data relating to any of: identity of the MNO entity, Mobile Country Code and Mobile Network Code of the OEM, organization number of the OEM, Fully Qualified Domain Name of the OEM, name of production site of the communication device, address or other contact information of the OEM, device model number or type of the communication device.
8. The method according to claim 7 , wherein a key K_OEM is derived as part of deriving the first response.
9. The method according to claim 8 , wherein the key K_OEM derived based on the OEM specific data and a long-term key K, and wherein the first response is derived based on the key K_OEM and the challenge.
10. The method according to claim 7 , wherein the identification module is part of, or implemented on, a Trusted Execution Environment (TEE).
11. The method according to claim 7 , wherein the identification module is a Universal Integrated Circuit Card (UICC), such as an embedded UICC or an integrated UICC.
12. The method according to claim 7 , further comprising, when the network entity is a mobile network operator entity:
obtaining, from the network entity, a network access key upon having authenticated the OEM entity as the manufacturer of the communication device.
13. The method according to claim 12 , wherein the network access key is an Authentication Key Agreement (AKA), symmetric credential, or an Extensible Authentication Protocol Transport Layer Security (EAP-TLS), public-key credential.
14. A method for authenticating an Original Equipment Manufacturer (OEM), entity as manufacturer of a communication device comprising an identification module, the method being performed by the OEM entity, the method comprising:
obtaining, from a network entity, a challenge of a challenge-response authentication procedure; and
providing, towards the network entity, a second response of the challenge-response authentication procedure, the challenge accompanied by OEM specific data and the second response derived based on the OEM specific data, the OEM specific data relating to any of: identity of the MNO entity, Mobile Country Code and Mobile Network Code of the OEM, organization number of the OEM, Fully Qualified Domain Name of the OEM, name of production site of the communication device, address or other contact information of the OEM, device model number or type of the communication device.
15. The method according to claim 14 , wherein the second response is derived from a key K_OEM and the challenge.
16. The method according to claim 15 , wherein the key K_OEM is obtained from a manufacturing entity of the identification module.
17. A method for authenticating an Original Equipment Manufacturer (OEM), entity, as manufacturer of a communication device comprising an identification module, the method comprising:
providing, by a network entity and towards the identification module, a challenge of a challenge-response authentication procedure;
providing, by the identification module and towards the network entity, a first response of the challenge-response authentication procedure;
providing, by the network entity upon having obtained the response and towards the OEM entity, the challenge, the challenge accompanied by OEM specific data and the first response derived based on the OEM specific data, the OEM specific data relating to any of: identity of the MNO entity, Mobile Country Code and Mobile Network Code of the OEM, organization number of the OEM, Fully Qualified Domain Name of the OEM, name of production site of the communication device, address or other contact information of the OEM, device model number or type of the communication device;
providing, by the OEM entity and towards the network entity, a second response of the challenge-response authentication procedure; and
authenticating, by the network entity, the OEM entity as the manufacturer of the communication device only when the second response matches the first response.
18. A network entity for authenticating an Original Equipment Manufacturer (OEM), entity, as manufacturer of a communication device comprising an identification module, the network entity comprising processing circuitry, the processing circuitry being configured to cause the network entity to:
provide, towards the identification module, a challenge of a challenge-response authentication procedure;
obtain, from the identification module, a first response of the challenge-response authentication procedure;
provide, towards the OEM entity and upon having obtained the response, the challenge, the challenge accompanied by OEM specific data and the first response derived based on the OEM specific data, the OEM specific data relating to any of: identity of the MNO entity, Mobile Country Code and Mobile Network Code of the OEM, organization number of the OEM, Fully Qualified Domain Name of the OEM, name of production site of the communication device, address or other contact information of the OEM, device model number or type of the communication device;
obtain, from the OEM entity, a second response of the challenge-response authentication procedure; and
authenticate the OEM entity as the manufacturer of the communication device only when the second response matches the first response.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.